securitydigital-signaturedigital-certificatetampering

Can signed executables be tampered with while retaining the integrity of the signature?


I was wondering to what degree I can rely on the digital signatures on files (aka Digital Certificates from Verisign, Simantec etc), when deciding if it's been tampered with or not.

Say I want download an application version that's no longer on the original developer's site but available on a third party sites like cnet, oldapps.com or filehippo. I usually resort to search for old forum entries with people listing the MD5 or SHA1 hash signature to see if they match the hash on the one I've downloaded. That only works with really big devs who's software is widespread.

I was wondering if verifying the file's digital signature is another reliable means of ensuring the file came from the dev and wasn't altered by a third party?

What I'm asking is: if a hacker injects an already signed DLL or EXE with a malcode, effectively changing the file's hash, will it break the digital signature because the signature embeds some kind of digest? Or will the signature be completely unaffected?


Solution

  • I decided to answer my own question using an empirical approach rather than taking the taking the Digital Certification authorities word for it.

    I devised an experiment where I used a hex editor to modify copies of wdksetup.exe (a signed WDK web installer from Microsoft's website) and studied how the digital signature is affected. I substituted 1byte all the way to 25KB and made a new copy each time I made a substitution. I also used ResourceHacker to add an icon group to one the which added an extra 400KB to the file.

    Results:

    (edit: I was curious to see the impact of size. I repeated the 1byte substitution experiment on a 250mb file with the same results. I was also curious to see if size impacts the possibility of getting collisions in when calculating digests. I did a 1 byte substitution in 3.5GB DVD iso which resulted in both different MD5 and SHA1 hashes.)